Skip to main content

About the Amazon S3 Activity Log Integration

Amazon S3 Activity Log Integration in Iru Endpoint enables organizations to export unified tenant activity logs to a self-hosted S3 bucket for centralized collection and analysis with SIEM services.

How It Works

This integration pushes event data to your specified S3 bucket using cross-account access via an Iru Endpoint-provided IAM role. Once configured, it delivers the same tenant activity events you review on Unified Activity. That includes activity across Tenant (System), Endpoint, Detections, Vulnerabilities, and Compliance. Use Unified Activity to browse and filter what was recorded; use your S3 bucket for long-term storage, SIEM ingestion, or offline analysis. For event field definitions and API details, refer to the activity log API documentation.
The first log collection after the Integration is connected only includes the previous hour of activity. Subsequent activity log collection will occur hourly.

Prerequisites

Before configuring this integration, ensure the following:
  • You have an active AWS account.
  • You have permissions to create a new S3 bucket.
  • You have permissions to create an IAM Role with AssumeRole and S3 write permissions.

Setting Up AWS Access

Iru Endpoint Integration Setup

1

Open Integrations

Click your name at the bottom of the left navigation, then select Integrations.
Screenshot of the account menu with Integrations option highlighted
2

Discover Integrations

Click Discover integrations in the upper-right of the Integrations page.
3

Add S3 Integration

Under Security integrations, click Add and configure under Amazon S3 Activity Log Integration.
4

Copy IAM Role

Copy the value for IRU_ENDPOINT_IAM_ROLE and store the value in a secure location.
5

Copy AWS Account ID

Copy the value for IRU_ENDPOINT_AWS_ACCOUNT_ID and store the value in a secure location.
6

Store Values Securely

These values will be used as part of your IAM role permissions in the next section.

Creating S3 Bucket

You must create a new S3 Bucket to use the Amazon S3 Activity Log Integration.
1

Access AWS Console

Log in to AWS.
2

Navigate to S3

Navigate to Amazon S3 > Buckets.
3

Create Bucket

Click Create bucket.
4

Select Bucket Type

Choose the General purpose bucket type.
5

Enter Bucket Name

Enter a memorable Bucket name.
  • This name will be referenced in policies.
6

Configure Public Access

Under Block Public Access settings for this bucket, ensure that the Block all public access option is selected.
7

Set Versioning

Under Bucket Versioning, keep the Disable option selected.
8

Configure Encryption

Under Encryption type, select Server side encryption with Amazon S3 managed Keys (SSE-S3).
9

Enable Bucket Key

Under Bucket Key, select Enabled.
10

Review Configuration

Iru Endpoint currently only supports the default encryption options defined above.
11

Create Bucket

Click Create bucket.
12

Select Created Bucket

Select the bucket you just created.
13

Access Permissions

Click the Permissions tab.
14

Edit Bucket Policy

Under Bucket policy, click Edit.
15

Add Bucket Policy

Add the following bucket policy to the role permissions. Click Save changes.
1

Replace bucket name references

Replace all reference to BUCKET_NAME with the name of the bucket you just created.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSSLRequestsOnly",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
              "arn:aws:s3:::BUCKET_NAME/*",
              "arn:aws:s3:::BUCKET_NAME"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}
1

Navigate to IAM

In AWS, navigate to IAM > Roles.
2

Create New Role

Click Create role.
3

Select Trust Policy

Select Custom trust policy.
4

Add Custom Trust Policy

Add the Custom trust policy below to allow Iru Endpoint to assume this role when writing to your S3 bucket.
  • Replace the IRU_ENDPOINT_AWS_ACCOUNT_ID and IRU_ENDPOINT_IAM_ROLE text with the values you made a note of at the beginning of the article. 
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::IRU_ENDPOINT_AWS_ACCOUNT_ID:role/IRU_ENDPOINT_IAM_ROLE"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
5

Continue Role Creation

Click Next.
6

Skip Permissions

On the Add permissions screen, select Next without selecting any of the listed Permissions policies.
7

Add Role Details

Add a Role name and Description.
8

Complete Role Creation

Click Create role.
9

Select Created Role

Select the IAM Role you just created.
10

Access Permissions Tab

Click on the Permissions tab.
11

Add Permissions

Click Add permissions.
12

Create Inline Policy

Click Create inline policy.
13

Switch to JSON

Click the JSON tab.
14

Enter Inline Policy

Enter the following for the inline policy:
1

Replace bucket name

Replace BUCKET_NAME - replace this with the name of the bucket you created that Iru Endpoint will place the activity log files in.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "s3:ListBucket",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::BUCKET_NAME"
        },
        {
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::BUCKET_NAME/*"
        }
    ]
}
15

Continue Policy Creation

Click Next.
16

Name Policy

Enter a Policy name.
17

Create Policy

Click Create policy.

Setting Up the Integration in Iru Endpoint

Once the above is configured in your AWS account, you can proceed to setting up the integration in your Iru Endpoint account.
1

Open Integrations

Click your name at the bottom of the left navigation, then select Integrations.
Screenshot of the account menu with Integrations option highlighted
2

Discover Integrations

Click Discover integrations in the upper-right of the Integrations page.
3

Add S3 Integration

Under Security integrations, click Add and configure under Amazon S3 Activity Log Integration.
4

Continue Setup

Click Next.
5

Enter AWS Account ID

Enter the AWS Account ID.
6

Enter S3 Bucket Name

Enter the S3 Bucket Name for the bucket that was created earlier in this guide.
7

Set Destination Path

Optionally, enter a Destination Path.
8

Enter IAM Role ARN

Enter the IAM Role ARN for the IAM Role that was created earlier in this guide.
9

Enter AWS Region

Enter the AWS Region.
10

Connect to S3

Click Connect to S3.
11

Verify Connection

Iru Endpoint will attempt to upload and delete a test file in the provided S3 bucket. If Iru Endpoint is unable to successfully integrate to your S3 bucket, you will not be able to save and will need to follow the error messages surfaced in the UI to fix the connection.
12

Verify Event Data

Check your S3 bucket to confirm that Iru Endpoint is pushing activity log data. This will take a maximum of two hours, provided that tenant activity events have been generated on your account.

Considerations

Activity Log Frequency: Activity log events are updated hourly, with the first collection including only the previous hour of activity. Exported events match Unified Activity scope (all supported Tenant, Endpoint, Detections, Vulnerabilities, and Compliance activity types). IAM Role Permissions: The IAM role must have the necessary permissions to allow Iru Endpoint to assume that role and write to the S3 bucket. S3 Bucket Policy: You may need to adjust the S3 Bucket policy to allow Iru Endpoint to write objects to the bucket. Security Requirements: Ensure the S3 bucket has proper encryption enabled and public access is blocked for security compliance. Data Retention: Consider implementing S3 lifecycle policies to manage log data retention and storage costs. Monitoring: Set up CloudWatch alarms to monitor S3 bucket access and activity log delivery.

Unified Activity

Browse, search, and filter the same tenant activity events in the Iru web app before or after they export to S3.

Activity Page

Current Endpoint activity timeline, available alongside Unified Activity while it is in Preview.